help-gnu-radius
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-gnu-radius] Thanks for your advices!

From: Sergey Poznyakoff
Subject: Re: [Help-gnu-radius] Thanks for your advices!
Date: Wed, 17 Nov 2004 13:39:36 +0200 
Hi,

Unfortunately my current load average prevented me from attending
your question earlier. My apologies!

To begin with, let me notice that granting access to everybody when
the SQL server is down is highly insecure. This actually means that any
intruder is able to enter your network once the SQL server becomes not
available. This is why RFC 2865 explicitely prohibits any usage of
fall-back authentication entries (see chapter 2):

   the RADIUS server consults a database of users to find the
   user whose name matches the request.  The user entry in the database
   contains a list of requirements which must be met to allow access
   for the user. 
   [...]
   If any condition is not met, the RADIUS server sends an "Access-
   Reject" response indicating that this user request is invalid.        

In accordance with that GNU Radius will not try any other authentication
profiles once the first matching one fails.

It is however possible to override this implementing an authentication method
upon some kind of Radius extension. For example, let's suppose you
have an external program (say "myauth"), that takes user name and
password as its arguments, compares them with the data from the database
and returns 0 if they match and 1 otherwise. If the database is not
answering, the program returns 0, indicating that the user is allowed
to log in. To invoke such a program, you would put the following entry
in your raddb/users:

DEFAULT   Auth-Type = Accept,
                    [Other check pairs]
          Exec-Program-Wait = "/path/to/myauth %C{User-Name} %C{User-Password}",
                    [Other reply pairs]

See http://www.gnu.org/software/radius/manual/html_node/radius_192.html#SEC290
for more details on Exec-Program-Wait.    

Otherwise, it is possible to implement this using Guile extension. Assuming,
you use hashed passwords in the database, the following Guile function
will allow the user to log in if his/her password matches the one in
the database, or if the database is down:

(define (auth req check reply)
  (let* ((username (assoc "User-Name" req))
         (password (assoc "User-Password" req)))
    (let ((res (radius-sql-query
                SQL_AUTH
                (string-concat
                 "SELECT ENCRYPT("
                 password
                 ",password)=password FROM pass WHERE user_name='"
                 username
                 "'"))))
      (or (not res)
          (and (not (null? res))
               (string=? (caar res) "1"))))))

(The function uses the default GNU Radius authentication table and
supposes that the passwords are kept in hashed form. You will have to
suit it to your needs if this is not the case in your setup)

To use the function, one would add the following profile to the
raddb/users:

DEFAULT Auth-Type = Accept,
                [Other check pairs]
        Scheme-Procedure = "auth",
                [Other reply pairs]      

See http://www.gnu.org/software/radius/manual/html_node/radius_122.html#SEC213
for the detailed information about Guile extensions.

Regards,
Sergey
reply via email to
[Prev in Thread] Current Thread [Next in Thread]